[blfs-dev] CA Certificates

Bruce Dubbs bruce.dubbs at gmail.com
Thu Mar 6 09:15:33 PST 2014


Henrik /KaarPoSoft wrote:
> Dear all,
>
> On
> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html
> you indicate to download CA Certificates from:
> http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
>
> However, on the "mxr frontpage"
> http://mxr.mozilla.org/
> the branch "Mozilla CVS"
> http://mxr.mozilla.org/mozilla/
> is described as follows:
>
> QUOTE
> This contains the entire current CVS repository.
> For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk,
> and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.*
> security releases.
> UNQUOTE
>
> So I would like to suggest that alternative sources may be described a well.
> See e.g.
> http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla
>
> (You are more that welcome to link to this page, if you find it
> appropriate).
>
> We are not the only ones struggling to figure out which branch to use.
> See e.g. the thread started here:
> http://curl.haxx.se/mail/archive-2013-12/0033.html
>
> The integrity of the certdata.txt file is essential,
> so I would also like to suggest that
> 1) you download from https://hg.mozilla.org/...
> 2) you include a sha256 checksum for the file.

It would seem that 
https://hg.mozilla.org/releases/mozilla-release/raw-file/058ed8ee9adf/security/nss/lib/ckfw/builtins/certdata.txt 
is correct right now, but I don't see a way to specify 'current' or 
'latest' for the raw file that we need.

We could write a script to download the html and then parse the raw file 
URL, but that would require downloading a 5M file just to get the url of 
a 1.5M files.  :(

I don't see how we can give a checksum if the file is changing.  We need 
to let users decide which version they need.

I'd be interested in other ideas.

   -- Bruce





More information about the blfs-dev mailing list